Four Reasons the New York Times Was Hackable

Here's the how-to story that a Times reporter should write about the attack that brought down the paper's website.

Stay Connected

If you're tired of trying to keep an expression of intelligent comprehension on your face during conversations with the techies in your workplace, family, or social circle, relax.

It is reliably estimated (by me) that 90% of the population of the modern world is valiantly trying to maintain the same pretense, while the remaining 10% are using a private language intended to obfuscate rather than enlighten.

This fact of 21st century life is extremely inconvenient when trying to identify who to blame for a massive business failure, which may be the point. However, it also makes it difficult to prevent the next massive business failure.

Somewhere in the miles of coverage of the New York Times website service outage that stretched to 20 hours in the middle of this week, sending readers to Facebook (NASDAQ:FB) for all the news that's fit to print, there must be an explanation in plain English of what happened.

That is, how did a bunch of hackers called the Syrian Electronic Army manage to bring down the New York Times? The question is particularly important because this is by no means the group's first success, and is unlikely to be its last.

One key part of the plain-English explanation may be in the statement posted Thursday on the corporate website of Melbourne IT, the Australian company that provides domain name registry services to the Times and about 10 other companies that were targeted less successfully this week by the Syrian group.

Toward the end of the statement, the company recommends that owners of website domain names "take advantage of additional registry lock features available from domain name registries…."

According to the company, the Syrian group's attacks failed to bring down targeted sites that had these additional lock features active.

So, if Melbourne IT is correct, the Syrian hackers obtained the log-in credentials that the Times uses to access its own domain registry information at Melbourne IT, and altered the Internet address associated with www.nytimes.com.

The Times apparently could have, but didn't, use additional levels of security-a second level of password, or the IT guy's mother's maiden name, or whatever. The Huffington Post UK apparently had that second level in place, and didn't suffer a service outage.

The attack on the Times wasn't a particularly sophisticated job, some Web security specialists say. It didn't even achieve its primary goal, which was to post an anti-war message on one or more of the news sites that were attacked. At least, that's what these unusually chatty hackers said in a post to their Twitter account.

Melbourne IT has been nailed as the "weak link" that was used by the Syrian Electronic Army, although it appears that an employee at an unnamed third-party company in the US actually made the fatal mistake.

The hackers sent out a "spear phishing" attack to email addresses belonging to the American company, which provides domain support services to the New York Times and other major companies that do business with Melbourne IT.

An email recipient fell for the lure, giving the hackers access to the third party's emails. In the emails, they found log-in credentials that led straight into the domain registry pages (a.k.a. the DNS configuration pages) of 10 major news sites.

Yes, this sounds fishy. Was that log-in information flying around in emails, or documents attached to emails? Just how accessible is the information, and to whom?

Melbourne IT, which is one of the world's largest domain registries, says it is working with its clients to make sure that they have all available levels of security in place. Good thing Australia doesn't celebrate Labor Day on Monday, because they're going to be busy.

But a group of techies in New York City are going to be plenty busy, too. It looks like a level of security that should have been in place was never put in place, or was disabled at the moment that a bunch of Syrian hackers went phishing.

Moreover, Twitter got caught in the same phishing attack, but managed to restore service quickly. Twitter apparently monitors its DNS settings. But so does the New York Times.

In an email to subscribers Thursday afternoon, the New York Times acknowledged the attack, and said it had been fixed for most users by late Tuesday. But the Times said there had been "some lingering problems" for some users, apparently because not all Internet service providers had updated their systems to reflect the company's fix. It said access should be fully restored by "the end of the day" Thursday.

So, it looks like a whole series of human errors is to blame: An email user fell for a phishing attack. Somebody at the Times left off a level of security for its registry pages. A monitoring system that was supposed to send an alert of a DNS change failed, or was ignored. At a higher level, somebody may have permitted lax protection of user names and passwords.

It's just too bad that behind every great domain name stands a bunch of fallible human beings.

The information on this website solely reflects the analysis of or opinion about the performance of securities and financial markets by the writers whose articles appear on the site. The views expressed by the writers are not necessarily the views of Minyanville Media, Inc. or members of its management. Nothing contained on the website is intended to constitute a recommendation or advice addressed to an individual investor or category of investors to purchase, sell or hold any security, or to take any action with respect to the prospective movement of the securities markets or to solicit the purchase or sale of any security. Any investment decisions must be made by the reader either individually or in consultation with his or her investment professional. Minyanville writers and staff may trade or hold positions in securities that are discussed in articles appearing on the website. Writers of articles are required to disclose whether they have a position in any stock or fund discussed in an article, but are not permitted to disclose the size or direction of the position. Nothing on this website is intended to solicit business of any kind for a writer's business or fund. Minyanville management and staff as well as contributing writers will not respond to emails or other communications requesting investment advice.